Bug 475188 - PHP error: undefined variable charset in squirrelmail
PHP error: undefined variable charset in squirrelmail
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: squirrelmail (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Michal Hlavinka
qe-baseos-daemons
:
Depends On: 237136
Blocks: 743405
  Show dependency treegraph
 
Reported: 2008-12-08 07:56 EST by Michal Hlavinka
Modified: 2013-01-07 23:58 EST (History)
8 users (show)

See Also:
Fixed In Version: squirrelmail-1.4.8-20.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 23:58:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0126 normal SHIPPED_LIVE Low: squirrelmail security and bug fix update 2013-01-08 04:21:41 EST

  None (edit)
Description Michal Hlavinka 2008-12-08 07:56:49 EST
+++ This bug was initially created as a clone of Bug #237136 +++

Description of problem:

The new Fedora devel SM package is useless as it won't let you see any mail

Version-Release number of selected component (if applicable):

squirrelmail-1.4.9a-1.fc7.noarch

How reproducible:

Always

Steps to Reproduce:
1. select a mail you want to read
  
Actual results:

Blank page

Expected results:

The mail

Additional info:

In apache logs: 

[Thu Apr 19 18:38:11 2007] [error] [client X.X.X.X] PHP Notice:  Undefined
variable: body_message in /usr/share/squirrelmail/functions/mime.php on line
317, referer:
https://x.y.org/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=Technique.Fedora
[Thu Apr 19 18:38:11 2007] [error] [client X.X.X.X] PHP Notice:  Trying to get
property of non-object in /usr/share/squirrelmail/functions/mime.php on line
317, referer:
https://x.y.org/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=Technique.Fedora


problem was introduced be squirrelmail-1.4.8-IE-Japanese-download-ugly-hack.patch
Comment 1 Jonathan Abbey 2009-01-22 17:20:37 EST
The title doesn't seem to relate to the 'Additional info' log extract.
Comment 2 Michal Hlavinka 2009-01-26 08:50:33 EST
(In reply to comment #1)
> The title doesn't seem to relate to the 'Additional info' log extract.

doesn't seem but I know it is :)
Comment 3 RHEL Product and Program Management 2009-03-26 13:18:44 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 4 RHEL Product and Program Management 2009-11-06 14:17:10 EST
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 5 Tomas 2009-11-07 04:42:16 EST
Remove squirrelmail-1.4.8-IE-Japanese-download-ugly-hack.patch patch from RHEL src rpms or fix it. Patch is broken. SendDownloadHeaders() rawurlencode changes fix only part of one issue. Other changes are not justified and produce PHP errors original bug reporter is complaining about.

---
+    if($squirrelmail_language != 'ja_JP')
+        if (isset($languages[$squirrelmail_language]['XTRA_CODE']) &&
---
Check (and whole block) is useless. You exclude Japanese and then test for XTRA_CODE. Only Japanese translation has usable XTRA_CODE functions. Korean XTRA_CODE is broken.

You broke working code with your patch. Fedora packages removed that patch two years ago.
Comment 6 Michal Hlavinka 2009-11-09 09:01:44 EST
Hi Tomas,

thanks for the info. Unfortunately I can't touch that package without PM approval (which was denied for rhel 5.5 in comment #4).

Also every patch in rhel is added only to fix some issue and for removing that patch I have to find out bz number it was trying to fix and check if it works without that patch or provide another patch. It seems this patch should fix #195639, but I'll have to look, because I didn't add this patch and I was not maintaining this package in time when it was added.
Comment 8 RHEL Product and Program Management 2010-08-09 15:34:09 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 9 R P Herrold 2010-12-03 17:17:30 EST
Similar messages exist for other variables as well:

[Fri Dec 03 16:57:19 2010] [error] [client ELIDED] PHP Notice:  Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: http://ELIDED/src/right_main.php?mailbox=INBOX&startMessage=1


[Fri Dec 03 16:57:19 2010] [error] [client ELIDED] PHP Notice:  Undefined variable: charset_converted in /usr/share/squirrelmail/functions/mime.php on line 316, referer: http://ELIDED/src/right_main.php?mailbox=INBOX&startMessage=1


[Fri Dec 03 16:52:23 2010] [error] [client ELIDED] PHP Notice:  Undefined variable: squirrelmail_language in /usr/share/squirrelmail/functions/mime.php on line 607, referer: http://ELIDED/src/right_main.php

This is perhaps more troubling, because a 'Undefined variable' which is being used, is an UNVALIDATED variable, out of scope or otherwise.  Unvalidated variables have security overtones in PHP code

http://www.php.net/manual/en/security.variables.php

CVE-2010-2813 was a character set related matter
CVE-2009-1581 was problems in functions/mime.php

I've not yet traced the code paths out but I note in a log file review that I am receiving probing attacks on that code from other continents (no such remote users existing here, or course)

Perhaps this needs to be re-examined with an eye to security matters?

-- Russ herrold
Comment 10 Tomas 2010-12-04 12:08:46 EST
CVE-2010-2813 is about login.php and IMAP functions. And SquirrelMail missed IMAP-I18N specification which says that LOGIN does not do 8bit passwords.

CVE-2009-1581 is about increasing sanitizing in html filtering code.

These undefined charset and language errors are about undefined local variables. Warnings are displayed but they are not exploitable. SquirrelMail 1.4.8+ and 1.5.1+ core code does not have security issues with register_globals=on. It is highly unlikely that such issues will pop up in any SquirrelMail release between 1.4.8 and 1.4.21. You have to remove rg sanitizing in order to make SquirrelMail vulnerable to variables injected through register_globals.

The only reason for fixing it is to admit that packager broke the code without testing it properly.
Comment 11 Ferry Huberts 2011-04-26 05:33:22 EDT
same issues on rhel 5.6, please retarget bug for 5.6


[Tue Apr 26 11:25:47 2011] [error] [client 192.168.180.1] PHP Notice:  Undefined variable: charset_converted in /usr/share/squirrelmail/functions/mime.php on line 316, referer: https://gittest.local/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX
[Tue Apr 26 11:25:47 2011] [error] [client 192.168.180.1] PHP Notice:  Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: https://gittest.local/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX
[Tue Apr 26 11:25:47 2011] [error] [client 192.168.180.1] PHP Notice:  Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: https://gittest.local/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX
[Tue Apr 26 11:25:47 2011] [error] [client 192.168.180.1] PHP Notice:  Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: https://gittest.local/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX
Comment 12 Tomas 2011-04-28 00:48:00 EDT
(In reply to comment #11)
> same issues on rhel 5.6, please retarget bug for 5.6

You should ask RH why they continue to use 1.4.8 and don't upgrade or don't incorporate any security patches from 2010.
Comment 13 Michal Hlavinka 2011-04-28 02:27:39 EDT
(In reply to comment #12)
> (In reply to comment #11)
> > same issues on rhel 5.6, please retarget bug for 5.6

Changing version from "5.5" to "5.6" has no effect. We know that this bug is valid for 5.6. We'd close this bug otherwise

> You should ask RH why they continue to use 1.4.8 and don't upgrade 

In Fedora land we upgrade squirrelmail (or any other package) regularly, but RHEL is different kind of product. In ideal state we'd never ever upgrade any package, but only cherry pick patches. (it's not that simple, but there is strict policy about this). Package needs to get approved by product management which calculates all pros/cons/regression-risks/work-required(Eng,QA,Rel,...) and I can't affect it too much. 

Of course I'd like to fix them, but I'm just one piece of big puzzle (process).

(In reply to comment #10)
> The only reason for fixing it is to admit that packager broke the 
> code without testing it properly.

yes, bug happens. I don't know how it was tested or why tests did not catch it, because I became squirrelmail maintainer some time later, but I'm pretty sure it did not skip testing

> or don't incorporate any security patches from 2010.

afaik there should be no (except "low" - which is decided by security response team) security patches missing (those that have CVE id assigned). All of them should be in bugzilla with comments from security team. If you think some is really important but marked as "low", you can always comment on that bug.
Comment 14 Ferry Huberts 2011-04-28 02:36:30 EDT
well with many users using webmail via squirrelmail, my logfiles are filled with this error like crazy.

other (important) messages are drowned out with this rather annoying and UNNEEDED message.

so yes, I consider this a security issue since it makes me miss the important messages
Comment 15 Michal Hlavinka 2011-04-28 10:01:12 EDT
(In reply to comment #14)
> so yes, I consider this a security issue since it makes me miss the important
> messages

unfortunately, this is far from what is seen as a security bug

You can configure syslog to grep out unneeded messages.

Btw, bugzilla is bug tracking system, nothing more. For RHEL support, people should use https://access.redhat.com/support/ and file proper case. Having filed at least one case for bug bumps bug's priority, so it gets fixed sooner.
Comment 16 RHEL Product and Program Management 2011-05-31 11:03:37 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 17 RHEL Product and Program Management 2011-09-22 20:41:41 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 20 RHEL Product and Program Management 2012-04-02 10:18:18 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 26 errata-xmlrpc 2013-01-07 23:58:01 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0126.html

Note You need to log in before you can comment on or make changes to this bug.